I. Field
The present invention generally relates to packet data communications, and more particularly, to monitoring and controlling of packet data flows during packet data communications.
II. Background
Interconnecting of networks globally allows information to be swiftly accessed irrespective of geographical distances. FIG. 1 shows a simplified schematic drawing of the global connection of networks, commonly referred to as the Internet signified by the reference numeral 20. The Internet 20 is in essence many networks with different levels of hierarchy linked together. The Internet 20 is operated under the IP (Internet Protocol) promulgated by the IETF (Internet Engineering Task Force). Details of the IP can be found in RFC (Request For Comments) 791 published by the IETF.
Connected to the Internet 20 are various individual networks, sometimes called LANs (Local Area Networks) or WANs (Wide Area Networks) depending on the network sizes. Shown in FIG. 1 are some of such networks 22, 24 and 26.
Within each of the networks 22, 24, and 26, there can be various pieces of equipment connected to and in communication with each other. Examples are computers, printers, and servers, to name just a few. Each piece of equipment has a unique hardware address, commonly called the MAC (Media Access Control) address. The piece of equipment with the MAC address is sometimes called a node. When the node communicates beyond its own network via the Internet 20, an IP address needs to be assigned to the node.
The assignment of the IP address can be manual or automatic. The manual assignment of the IP address can be performed by a network administrator, for example. More often, the IP address is automatically assigned. For instance, in a LAN, the IP address can be assigned by a server called the DHCP (Dynamic Host Control Protocol) server (not shown) residing inside in the node's LAN. Furthermore, in a WAN which supports wireless technologies, IP addresses can be assigned automatically and remotely.
Returning now to FIG. 1, as an example, suppose a node 30 in the network 22 attempts to send a data packet to another node 34 in the network 24. Under the IP, each data packet needs to have a source address and a destination address. In this case, the source address is the address of the node 30 in the network 22. The destination address is the address of the node 34 in the network 24. Operating in such a manner, the nodes 30 and 34 are said to be communicating under the Simple IP transport mode in which both nodes 30 and 34 simply use their own IP addresses in the exchange of data packets to conform with the IP.
Advent in wireless technologies allows nodes to move away from their originally registered network to another network. For instance, referring back to FIG. 1, the node 30, instead of permanently wired to the network 22, can be a wireless device, such as a PDA (Personal Device Assistant), a cellular phone, or a mobile computer. The wireless node 30 can travel beyond the boundary of its home network 22. Thus, the node 30 may roam away from its home network 22 to a foreign network 26. Under such scenario, the original address assigned to the node 30 would no longer be applicable to the node 30. As such, data packets destined for that address of the node 30 may not be reachable to the node 30.
The Mobile IP (Mobile Internet Protocol) set forth by the IETF is intended to deal with the node mobility problems. In accordance with the RFC 2002 published by the IETF, whenever away from the home network 22 and roaming in another network, the node 30 is assigned a “care-of address,” abbreviated as CoA (Care-of Address).
Under the RFC 2002, there are two types of CoA, namely, the FA CoA (Foreign Agent Care-of Address) and the CCoA (Co-located Care of Address).
The FA CoA is in essence the address of a FA (Foreign Agent) which is a designated server in the foreign network where the node 30 is located at. The use of the FA CoA is applicable in the IPv4.
The CCoA is an individual but temporary address assigned to the node 30 by the foreign network. The use of the CCoA is applicable in both the IPv4 and IPv6.
In any case, anytime the node 30 is in a foreign territory, the node 30 must register the CoA, be it the FA CoA or the CCoA, with its home network 22, so that the home network 22 always knows the whereabouts of the node 30. After registration, the CoA is stored in the routing table maintained by a designated server, called the HA (Home Agent) 25 of the home network 22.
Take a few examples for illustration.
For the case of the FA CoA, suppose the node 30 roams into the foreign network 26. Upon reaching the territorial limit of the foreign network 26, the node 30 receives an advertisement message from the foreign network 26 informing the node 30 of its presence in the foreign territory. From the advertisement message, the node 30 knows the address of the FA 36 of the foreign network 26. The node 30 then registers the FA CoA with the HA 25 in the home network 22.
When the node 30 in the foreign network 26 sends out a data packet to the node 34 in the network 24, for example, knowing the address of the node 34 in the network 24, the data packet can be sent straightforwardly. That is, in accordance with the IP, in the data packet, the source address can be set to the HoA of the node 30 and the destination address can be set to the address of the node 34 in the network 24. The direction of the data packet is shown as data path 38 shown in FIG. 1.
As for the reverse data traffic, it is not as straightforward. In the reverse data route, when the node 34 in the network 24 attempts to send a data packet to the node 30, now in the foreign network 26, as mentioned above, in conformance with the IP, both the source and the destination addresses must be specified in the data packet. In this case, the source address is the IP address of the node 34 in the network 24. As for the destination address, without any update notice from the node 30, the node 34 only knows the HoA of the node 30, not the FA CoA of the node 30. Thus, the destination address will be set to the HoA of the node 30.
Nevertheless, since the FA CoA of the node 30 is stored in the routing table of the HA 25 in the home network 22, when the data packet reaches the home network 22, the HA 25 of the network 22 encapsulates the received data packet with the stored FA CoA and sends it to the node 30 in the foreign network 26. That is, the encapsulated data packet utilizes the FA CoA as the destination address. Once the foreign network 26 receives the encapsulated data packet, the FA 36 merely strips away the encapsulated FA CoA and delivers the original packet to the mobile node 30. The route of the data packet is shown as data path 40 in FIG. 1.
It also should be noted that the data paths, such as the paths 38 and 40, in reality pass through the Internet 20 many times. For the sake of clarity so as not to obscure FIG. 1, the paths merely are shown as passing through the relevant servers, such as the HA 25 and the FA 36. That is, the data paths 38 and 40 are shown as logical paths as shown in FIG. 1.
Operating in the manner as described above, the mobile node 30 is said to be communicating with the correspondent node 34 under the Mobile IP tunneling mode using the FA CoA.
In the above example, a data tunnel is said to exist between the nodes 30 and 34 through the HA 25 even though the mobile node 30 appears to receive data packets straightforwardly from the corresponding node 90. The advantage of using the tunneling mode is that when the mobile node 30 migrates to yet another foreign network, other than the update notice to the home network 22, there is no need for the mobile node 30 to send similar notice to the corresponding node 34. Thus, data sent and received by the corresponding node 34 appear to be uninterrupted.
As for the case of the CCoA, when the node 30 roams away from the home network 22, instead of requesting for a FA CoA, the node 30 can instead request a CCoA from the foreign network. If the network 26 is a WAN supporting wireless technologies such as the cdma2000 standards promulgated by the TIA/EIA (Telecommunications Industry Association/Electronic Industries Association) and the 3GPP2 (3rd Generation Partnership Project 2), the CCoA can be requested and assigned remotely by the foreign network 26 via a PPP (Point-to-Point Protocol between a PDSN (Packet Data Serving Node) 41 and the mobile node 30, for example. The PDSN 41 is basically a server in the network 36 serving and processing data traffic in the wireless portion of the network 26. However, other than the assignment of the CCoA by the foreign network 26, the node 30 performs all the functions of a foreign agent, such as the FA 36 as mentioned previously. Again, the mobile node 30 needs to register the CCoA with the home network 22.
For instance, to correspond with node 34 in the network 24, the node 30 sends out a data packet with two layers of addresses. In the outer layer, the source address is set to the CCoA, and the destination address is set to the HA 25. In the inner layer, the source address is the HoA of the node 30 and the destination address is the address of the node 34 in the foreign network 24. Upon receipt of the data packet from the roaming node 30, the HA 25 strips off the outer address layer and sends the data packet to the node 34 with the inner address layer. The logical path of the data packet is shown as data path 42 in FIG. 1.
In the reverse data path, that is, when the node 34 sends a data packet to the node 30, the data packet has only one address layer with the source address set to the node 34 and the destination address set to the HoA of the node 30. Upon receipt of the data packet, the HA 25 encapsulates the data packet with the CCoA as the destination address and the address of the HA 25 as the source address and sends the encapsulated data packet to the node 30. The node 30 performs the de-encapsulating on its own without going through the FA 36. The direction of the data packet is shown as data path 44 in FIG. 1.
Operating in the manner as described above, the roaming node 30 is said to be communicating with the correspondent node 34 under the Mobile IP tunneling mode using the CCoA.
Very often, data communications between the nodes need to be monitored and controlled for different reasons. For example, when the mobile node 30 and the corresponding node 34 are in a VoIP (Voice over IP) session, it needs to be certain that the participating parties, the mobile node 30 and the corresponding node 34 in this case, are authorized. Among other things, for each data packet, the source address, the destination address, and the destination port need to be ascertained. If the session is fee-based, means for tracking has to be implemented for purpose of accounting. For security and privacy reasons, it is common that data packets exchanged between the nodes are encrypted. Encryption schemes for packet data under the transport mode and the tunneling mode are different. Monitoring of encrypted data packets thus poses a special challenge. Yet there is increasing demand for secured and private communications over shared networks.
Accordingly, there is need to provide secured monitoring schemes for packet data communications with encrypted data flows.